sa binding
Function
The sa binding command associates a VPN instance with a Security Association (SA).
The undo sa binding command cancels the configuration.
By default, a VPN instance is not associated with an SA.
This command is supported only on the NetEngine 8000 F1A.
Parameters
| Parameter | Description | Value |
|---|---|---|
| vpn-instance vpn-instance-name |
Indicates the name of the VPN instance. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
In an IPSec multi-VPN scenario, an IPSec device is connected to multiple VPNs. To specify the mappings between IPSec tunnels and VPNs, run the sa binding command.
After the sa binding command is run, the packets sent from the IPsec tunnel to which the IKE peer belongs are decrypted and forwarded to the specified VPN using the sa binding vpn-instance vpn-instance-name command.Prerequisites
Before associating a VPN instance with an SA, configure a VPN instance and attributes for the routes in the VPN instance.
Example
<HUAWEI> system-view [~HUAWEI] ip vpn-instance vpn1 [*HUAWEI-vpn-instance-vpn1] ipv4-family [*HUAWEI-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1 [*HUAWEI-vpn-instance-vpn1-af-ipv4] vpn-target 100:1 both [*HUAWEI-vpn-instance-vpn1-af-ipv4] quit [*HUAWEI-vpn-instance-vpn1] quit [~HUAWEI] ike peer peer1 [*HUAWEI-ike-peer-peer1] sa binding vpn-instance vpn1